Portal for ArcGIS Security 2016 Update 2 Patch

Summary

This security patch addresses multiple security vulnerabilities found in Portal for ArcGIS. Esri recommends that all customers using Portal for ArcGIS 10.2.2 and 10.3.1 apply this patch. Customers who are using 10.2 or 10.2.1 should first upgrade to 10.2.2. Customers who are using 10.3 should first upgrade to 10.3.1.

Description

Esri® announces the Portal for ArcGIS Security 2016 Update 2 Patch. Esri recommends that all customers using Portal for ArcGIS 10.2.2 and 10.3.1 apply this patch. This patch deals specifically with the issues listed below under Issues Addressed with this patch.

This security patch is cumulative and includes several non-security related fixes from an earlier patch that are also listed below under Issues Addressed with this Patch.

To avoid conflicts with existing patches, the 10.3.1 version patch also addresses these issues:

BUG-000094105 - Portal generateToken operation fails to reject POST requests which contain the username or password in the query parameter.

BUG-000091354 - Portal fails to refresh membership for users outside of the domain that the Portal server resides in.

BUG-000090552 - When editing the URL settings of an item in Portal for ArcGIS 10.3.1, the item URL does not save and reverts back to the original.

BUG-000088826 - After upgrading from 10.3 or earlier, passwords for built-in portal accounts in Portal for ArcGIS cannot be changed by the user.

BUG-000088682 - When Portal is configured to be SSL Only, Web AppBuilder URLs are saved as HTTP instead of HTTPs.

BUG-000085589 - Unable to display map layers added directly to a Portal Web Map when both Portal and ArcGIS Server are configured to use Integrated Windows Authentication (IWA) and both Web Adaptors are deployed on the same server. (Windows only)

BUG-000088505 - Portal highly available configuration should not be reset to standalone Portal if the shared content folder is not available.

BUG-000086481 - Incorrect geometries are displayed when reprojecting a hosted service in the map viewer.

BUG-000084180 - In Portal for ArcGIS when editing a user profile First Name and Last Name text fields always shows as blank under the Edit My Profile page.

To avoid conflicts with existing patches, the 10.2.2 version patch also addresses these issues:

BUG-000091521 - Portal for ArcGIS 10.2.x freezes Internet Explorer (10 and 11) when services are added to a web map using ‘Search for Layers’.

BUG-000083626 - When adding layers to the Portal map viewer without signing in, once a GIS server connection has been made, the drop down option to add layers can from the Portal no longer appears.

NIM104456 - Certain Portal operations fails to use the forward proxy server information defined in the system properties.

NIM104047 - Secure the portal's proxy capability.

NIM103102 - When adding a GIS tier secured ArcGIS for Server map service under 'My Content' in Portal for ArcGIS, the option to save credentials is available but when selected, the credentials are not saved.

NIM099352 - Unable to save credentials for ArcGIS for Server-based content being added to Portal from ArcGIS when the desired service is secured with Windows authentication.

Installing this patch on Windows

Installation Steps:

Portal for ArcGIS 10.3.1 or 10.2.2 must be installed before installing this patch.

Download the appropriate file to a location other than your ArcGIS installation location.

Make sure you have write access to your ArcGIS installation location,
and that no one is using ArcGIS.

Extract the specified tar file by typing:

% tar -xvf ArcGIS-<Version>-PFA-SEC2016U2-Patch-lx.tar

Start the installation by typing:

% ./applypatch

This will start the dialog for the menu-driven installation procedure. Default selections are noted in parentheses ( ). To quit the installation procedure, type 'q' at any time.

Patch Updates

Check the Patches and Service Packs page
periodically for the availability of additional patches. New information about
this patch will be posted here.

August 18, 2016: Portal for ArcGIS 10.2.2 setups are available for download.

How to identify which ArcGIS products are installed

To determine which ArcGIS products are installed, choose the appropriate version of the PatchFinder utility for your environment and run it from your local machine. PatchFinder will list all products, hot fixes, and patches installed on your local machine.